OK, Dan (and all)
Before I make another mistake with rule, will you check this one out for
me before I implement it.
I don't really care if someone shuts down a computer (other than servers
- can I create an exception for them?)
Would this rule prevent being notified of PCs shutting down?
<rule id="100003" level="0">
<if_sid>18117</if_sid>
<id>52</id>
<description>Ignore Windows Shut down alerts</description>
</rule>
There isn't an ID associated with the event, would I leave it blank
(remove it) or would I need to find the event ID and put it in?
Also, I'm guessing that each new rule I create should have a new rule ID
number, which according to what I've read needs to start at 100000.
Randy Dover
Vice President / Information Technology Officer
Cornerstone Community Bank
6401 Lee Highway, Suite 119
Chattanooga, TN 37421
Telephone: 423-385-3010
[email protected]
-----Original Message-----
From: OSSEC HIDS [mailto:[email protected]]
Sent: Friday, May 13, 2011 2:11 PM
To: DL_ITStaff
Subject: OSSEC Notification - (IT-PH) 192.168.x.0 - Alert level 7
OSSEC HIDS Notification.
2011 May 13 14:11:03
Received From: (IT-PH) 172.16.49.0->WinEvtLog
Rule: 18117 fired (level 7) -> "Windows is shutting down."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(513): Security: SYSTEM: NT AUTHORITY:
ITA-PH: (no message)
--END OF NOTIFICATION
